Android Touch-Event Hijacking

With the recent release of Android 2.3 (Gingerbread), developers can now protect themselves from a new twist on an old bug: TapJacking. Like ClickJacking on the web, TapJacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. Using this technique, an attacker could potentially trick a user into making purchases, clicking on ads, installing an application, granting permissions, or even wiping all of the data from their phone.

Earlier this year we contacted the Android Security Team at Google about the issue and they were able to build a fix into Android 2.3 (Gingerbread). In Android, an attacker is able to display the fake user interface by creating a customized notification (called a Toast) to obscure the real interface. To allow developers to protect their user interfaces from TapJacking, Android 2.3 added the ability for Views to prevent interaction events when they are obscured by another view.

Essentially, this makes a View only usable when it is visible, eliminating the possibility for a user to accidentally interact with a hidden View. The new feature for View objects can be used in two ways: by setting the filterTouchesWhenObscured property to true or by implementing the onFilterTouchEventForSecurity method. It’s important to remember that the new security features require developers to explicitly set them to protect from TapJacking.

How TapJacking works:
[vimeo]http://vimeo.com/17648348[/vimeo]

Read the complete article on The Lookout Blog

Related Posts

How to configure Firestarter firewall on Zenwalk 6.2 Zenwalk 6.2, the latest release of Zenwalk, ships with Firestarter, a graphical configuration tool for IPTables. IPTables is the enterprise-grade fir...
Security features of Linpus Lite 1.4 Linpus Lite 1.4 is the latest update to the Linux distribution published by Linpus Technologies, Inc. of Taipei, Taiwan. Though designed for use on ne...
Is that a backdoor or an “administrative password” on your Verizon Internet ro... If Verizon was your Internet Service Provider back in April 2011, you probably received an updated Terms of Service (TOS) spelling out several updates...
Building Interactive Maps with Leaflet Leaflet is an JavaScript library for building interactive maps. RStudio released a package that allows us to build these maps in R! You can do som...
Install Quick Access on Linux Mint 12 KDE or any KDE installation I am always looking for tools and applications that make the desktop a lot more fun to use, while boosting my productivity at the same time. Such tool...
Tweak Pear Linux Comice OS 4 dock Some tasks in Linux are so easy to do that you think writing a tutorial about them would be a waste of time, until you start seeing significant search...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).


Leave a Comment

Your email address will not be published. Required fields are marked *

*